Uncover shadow IT and phishing threats using Netlas.io
Even minor changes to the attack surface can cause a breach. Detecting such unauthorized changes is a critical process.
The term "Shadow IT" generally refers to those parts of the attack surface that are not taken into account by security subdivision. Such elements can be risky, as attacks on them may go unnoticed initially.
Search for domains in other zones
Similar domains, such as netlas.io and netlas.am, may arise in different situations, such as the opening of a regional branch of a company or some experiments. Attackers can also register domains in neighboring zones in order to mislead someone, for example, using email. Using the search syntax features of the Netlas search engine, you can find such domains and determine whether they belong to a known part of the infrastructure or fall under Shadow IT.
Search for third-level domains can help identify services used by company employees. Cloud services such as CRM, collaborative organization services, and others often create a workspace for their clients using third-level domains. For example, netlas.cloud-service.com. Using Netlas DNS search tool is an effective way to identify such cases.
Phishing resources are oftenly hosted using similar spelling domain names. You can uncover such resources using Netlas fuzzy search feature. Use ~1 or ~2 operator to query domains that differ by 1 or 2 characters, respectively.
The content of a website sometimes refers to the branding content of another resource rather than being stored directly. For example, this could be the company's logo. Netlas responses search tool allows for the detection of such references. You can filter or group responses to find suspicious content usage.
These same heuristics can be utilized in the search for phishing sites. The challenge lies in the fact that it is quite difficult to distinguish resources falling into the category of Shadow IT from phishing resources without human intervention. Technically, the data of a phishing website often duplicates the data of one of the legitimate sites of a company.
There are numerous other methods for finding phishing sites and Shadow IT using Netlas.io. You can employ fuzzy searching, identifying domain names similar to a specified one, or verify certificates if they suspect a site is mimicking an original resource. Sometimes, positive results are achieved through searching for similar favicons.